Hi,
we use an Active Directory (Server 2012) and a FreeIPA 4.5.4 installation. FreeIPA runs under Centos 7, sssd version is sssd-1.16.0-19.el7.x86_64. Between AD and FreeIPA we have set up a one-way trust. For some AD users, we have set up a uid override under "Default Trust View" in FreeIPA. This overwrite is regularly lost on the FreeIPA server. If we clear the sssd cache (systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd), the override takes effect again. Here is a history for today:
2018-07-03 10:55:01 2018-07-03 11:05:01 2018-07-03 11:06:01 2018-07-03 11:10:01 2018-07-03 11:12:01 2018-07-03 11:15:01 2018-07-03 11:29:01 2018-07-03 11:31:01 2018-07-03 11:34:01
As you can see, there is no periodicality, from yesterday to today it runs for about 11h without problems, and today since 11:34
How can fix the problem?
Michael
On ti, 03 heinä 2018, Michael Gusek via FreeIPA-users wrote:
Hi,
we use an Active Directory (Server 2012) and a FreeIPA 4.5.4 installation. FreeIPA runs under Centos 7, sssd version is sssd-1.16.0-19.el7.x86_64. Between AD and FreeIPA we have set up a one-way trust. For some AD users, we have set up a uid override under "Default Trust View" in FreeIPA. This overwrite is regularly lost on the FreeIPA server. If we clear the sssd cache (systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd), the override takes effect again. Here is a history for today:
2018-07-03 10:55:01 2018-07-03 11:05:01 2018-07-03 11:06:01 2018-07-03 11:10:01 2018-07-03 11:12:01 2018-07-03 11:15:01 2018-07-03 11:29:01 2018-07-03 11:31:01 2018-07-03 11:34:01
As you can see, there is no periodicality, from yesterday to today it runs for about 11h without problems, and today since 11:34
How can fix the problem?
It is unclear from your explanation where is the override lost. Is it that LDAP entry for the override disappears? Or is it SSSD that is forgetting an override?
Hi Alexander,
its SSSD, we check it with id -u user@example.com.
Michael
Am 03.07.2018 um 14:57 schrieb Alexander Bokovoy via FreeIPA-users:
On ti, 03 heinä 2018, Michael Gusek via FreeIPA-users wrote:
Hi,
we use an Active Directory (Server 2012) and a FreeIPA 4.5.4 installation. FreeIPA runs under Centos 7, sssd version is sssd-1.16.0-19.el7.x86_64. Between AD and FreeIPA we have set up a one-way trust. For some AD users, we have set up a uid override under "Default Trust View" in FreeIPA. This overwrite is regularly lost on the FreeIPA server. If we clear the sssd cache (systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd), the override takes effect again. Here is a history for today:
2018-07-03 10:55:01 2018-07-03 11:05:01 2018-07-03 11:06:01 2018-07-03 11:10:01 2018-07-03 11:12:01 2018-07-03 11:15:01 2018-07-03 11:29:01 2018-07-03 11:31:01 2018-07-03 11:34:01
As you can see, there is no periodicality, from yesterday to today it runs for about 11h without problems, and today since 11:34
How can fix the problem?
It is unclear from your explanation where is the override lost. Is it that LDAP entry for the override disappears? Or is it SSSD that is forgetting an override?
On ti, 03 heinä 2018, Michael Gusek via FreeIPA-users wrote:
Hi Alexander,
its SSSD, we check it with id -u user@example.com.
Then you need to gather logs from SSSD on IPA master. Basically, add
debug_level = 9
in domain and nss sections to /etc/sssd/sssd.conf and restart sssd.
Logs will be large so it would be good to gather them and put somewhere.
General troubleshooting notes apply: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Ok, i've activated logging for all sections, i'm missed section nss. I will upload log files next time if i run in trouble.
Michael
Am 03.07.2018 um 15:49 schrieb Alexander Bokovoy:
On ti, 03 heinä 2018, Michael Gusek via FreeIPA-users wrote:
Hi Alexander,
its SSSD, we check it with id -u user@example.com.
Then you need to gather logs from SSSD on IPA master. Basically, add
debug_level = 9
in domain and nss sections to /etc/sssd/sssd.conf and restart sssd.
Logs will be large so it would be good to gather them and put somewhere.
General troubleshooting notes apply: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
On ti, 03 heinä 2018, Michael Gusek via FreeIPA-users wrote:
Ok, i've activated logging for all sections, i'm missed section nss. I will upload log files next time if i run in trouble.
Please don't post it public as it would contain quite a number of details about your deployment.
freeipa-users@lists.fedorahosted.org